A history of the events processed by each rule is included in the History panel on the Edit Event Rule page. This history is automatically trimmed as events are trimmed from your Carbon Black App Control database.
The History includes the following information:
- Date Created – The time stamp for when this rule was created.
- Created By – The console login account of the user who created the rule.
- Date Modified – The time stamp for when the rule was last modified.
- Last Modified By – The console login account of the user who last modified the rule.
- Last Evaluation Time – The time stamp of the last time the rule was triggered by a matching event. In addition, this field shows statistics for any activations of the rule in the past hour, including the number of times it was triggered, the number of events processed, and the time elapsed for processing.
- Last Processed Event – The time stamp of the last event that was processed with this rule. This value can be useful in determining whether there is a significant backlog in processing events and also to determine events in the event log that might be processed next. Note that “processing” means the rule was processed, not that the resulting action has been completed.
Below the History panel, you can click on the Processed Events heading to show the table of events that have been processed by the current rule. This can help you monitor the impact of a rule. The Processed Events table shows the Status of each processed event, which is one of the following:
- Pending – The event matched the rule but the rule action has not been completed. If information is available about why the action is in this state, it is displayed as a tooltip when you hover over the Status.
- Simulated – The event was processed by the rule in Simulate only mode; the processing was recorded but the action was not executed. For more information, see Enable, Disable, and Delete Event Rules.
- Executed – The event was processed by the rule and the specified action was taken.
- Skipped – The rule was skipped because it would have taken an action that is prohibited or not relevant to the current conditions. For example, a rule cannot globally approve a banned file.